Posted on Fri, May 28, 2010 @ 01:01 PM
Authored by Mike Gargiullo, Sr. Security Consultant, Pivot Point Security
Ever need to work on a remote computer which is behind a typical firewall. Well if there is no inbound connectivity, you can play a bit of leap frog using ssh in order to gain access to that server. Here's a quick example.
For this example we'll assume you are sitting at Host A and would like to have access to Internal Host C. Both firewalls are assumed to allow ssh traffic out.
Our goal here is to have the Internal Host C machine start an ssh session to External Host B (which is on the internet).
SSH -R 2200:localhost:22 User@ExternalHostB
This will start an ssh session from Internal Host C to External Host B and ask the ssh daemon to forward all traffic on External Host B's port 2200 back to Internal Host C's port 22 over the established ssh session.
Now If I were on External Host B, to get a shell on Internal Host C all I'd have to do is:
SSH -p 2200 User@localhost
Now the USER in the above statement would have to be a valid user on Internal Host C, not External Host B.
To connect from Host A to Internal Host C you can do several things. The easiest is to leap frog.
SSH USER@ExternalHostB
Then
SSH -p 2200 USER@localhost
The first session opens a shell on External Host B. The second opens a shell on Internal Host C by connecting to the reverse shell we started in the first command.
This has been a simple reverse shell ssh post. Stay tuned for more port forwarding fun.
Posted on Fri, May 07, 2010 @ 02:48 PM
Authored by Bob Gorski, Sr. Security Consultant, Pivot Point Security
Several years ago I witnessed what was, at the time, possibly an ingenious method of theft. I was in a retail store that sold Apple 
products. A gentleman wearing iPod headphones was in the area, and appeared to be listening to some music while using one of the display computers to surf the web. It turns out, the music he was bobbing his head to existed only in his head, because he had configured his iPod to act as an external hard drive, and a FireWire cable was snaked out of his pocket and into the computer he was using. One of the joys of using Apple's OS X operating system (installing software by simply dragging the icon into the Applications folder) also makes it very easy to steal from (drag that icon from the Applications folder onto an external hard drive). By the time I located a store employee to point out what was going on, the guy had finished his business and moved on. I believe he got away with a copy of Microsoft Office (or about $300, from the retailer's point of view).
I was recently reminded of this when I attended a convention. A video game publisher had set up in the expo hall, and had PCs available for attendees to try out their latest, as-yet-unpublished game. One attendee thought so highly of the new game that he plugged a USB drive into the PC he was using and attempted to copy it so that he could continue to play on his own time. Unlike the gentleman in the previous story, this one did not make off with his ill-gotten goods, and ended up in the custody of the local police. If nobody had noticed what he was doing, that game probably would have been available on a peer-to-peer network by that evening. I don't know how to predict the cost of something like that, but I suspect I'm not out of line if I say, "A lot."
If you are a software publisher, it makes sense that you'd want to allow some level of "try before you buy" to your potential customers. Retail locations and conventions/trade shows are natural places to allow your target audience an opportunity to experience your product in its fullest form. What controls do you have in place to protect your product from the very public you want to interact with it?